News
Major Microsoft Multifactor Authentication Vulnerability Revealed
A vulnerability in Microsoft’s multifactor authentication (MFA) system has been uncovered by cybersecurity firm Oasis Security, allowing attackers to bypass security measures and access sensitive data across services including Outlook, OneDrive, Teams and Azure.
In a report by Oasis Security (PDF), the bypass, that could have affected more than 400 million customers, took very little effort by the firm's security team to exploit. "The bypass was simple: It took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble," read the report.
Oasis Security identified key weaknesses in Microsoft's session management and authentication code validation:
- Lack of rate limiting: Attackers could rapidly create new sessions and attempt multiple six-digit codes, effectively bypassing the 10-attempt limit per session.
- Extended code validity: Although time-based one-time passwords (TOTP) should expire within 30 seconds, according to Oasis Security, Microsoft’s system accepted codes for up to three minutes. This extension allowed attackers to significantly increase the number of attempts within a single session.
Oasis Security's tests showed attackers had more than a 50 percent chance of guessing a valid code within 70 minutes by exploiting these vulnerabilities, and its own team had a success rate of 3 percent within the initial three-minute window.
The security firm has said that Microsoft worked quickly to implement permanent changes in October after being alerted to the issue in June. "While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts; the strict limit lasts around half a day," read the report.
While the flaw in Microsoft's MFA system has been addressed, Oasis Security said that it's up to organizations to take a proactive approach when using authentication tools and has some advice for enterprise IT:
- Enable MFA: Multi-Factor Authentication remains a vital safeguard against unauthorized access. Opt for secure options like authenticator apps or passwordless solutions.
- Monitor for credential leaks: Frequently update passwords and stay alert for signs of compromised credentials to mitigate potential risks.
- Set alerts for failed MFA attempts: Configure notifications for failed second-factor authentication attempts to quickly identify and address targeted attacks.
For companies like Microsoft that deploy MFA systems, the security firm recommends implementing proper rate limits to lock accounts after multiple failed attempts.